NIST publishes new Secure Domain Name System (DNS) Deployment Guide

Advice on organising and securing your DNS infrastructure

NIST Entrance Sign on the Gaithersburg Campus in  Maryland (USA)

US standardisation and technology institute NIST has made the first public draft of its Secure Domain Name System (DNS) Deployment Guide available online. The guide provides comprehensive advice on organising and securing your DNS service. DNSSEC obviously features, but the document also covers numerous other DNS-related topics.

NIST is accepting public feedback on the draft document until 25 May.

The Secure Domain Name System (DNS) Deployment GuideLink opens in new tab goes through a long series of recommendations on organising and securing your DNS infrastructure. Naturally, authoritative DNS services and recursive resolvers are considered, and the relationship between DNS security and more general information security is addressed as well.

Focus points

A number of important topics and focus points highlighted in the guide are summarised below, along with some of the key takeaways.

Critical infrastructure and information security

  • The DNS is a critical infrastructure component and should therefore be covered by an organisation-wide information security strategy

  • Because of its scalability and efficiency, an organisation’s DNS set-up is a good place to implement security measures, as with all the security protocols developed on the basis of DNSSEC (e.g. SPF/DKIM/DMARC, DANE and ZONEMD), as well as DNSBLLink opens in new tab (for blocking spam)

  • Use of a DNS resolver to block access to malware domains ("Protective DNS")

Secure DNS

DNSSEC

DNS resolving

  • Recursive resolvers, forwarders and stub resolvers

  • Encrypted DNS services based on the use of DoT/DoH/DoQ

  • Blocking of DNS queries other than by the organisation’s own resolvers

  • DNSSEC validation

  • Management and updating of DNSSEC trust anchors

Further reading

Those topics and many others are covered in NIST's new Deployment GuideLink opens in new tab. We advise DNS operators to read the guide to see what else they could do to improve their infrastructures.